Share this story

This article was originally published on The Conversation. An audio version of the interview is available there. It has been lightly edited.

It’s 7:00am, and I’m driving down to Hull city centre to pick up Brett Johnson, known in cyberspace by the alias Gollumfun and dubbed the “Original Internet Godfather” by the US Secret Service.

Johnson was on the notorious US Most Wanted list in 2006 before being arrested for cyber crime and laundering US$4m. I’ve never met anyone whose name has been on that list, and so our encounter comes with some level of subliminal intimidation. Turns out, he’s both casual and friendly, and I’m keeping an open mind.

Further Reading

But I also have to remind myself that he’s a former cybercriminal who invented a “popular” online tax-return fraud scheme, plenty of identity theft variants, and ShadowCrew—the precursor to the Dark Web.

We’re scheduled to spend two days together. I invited Johnson to give a talk at the Business School of the University of Hull and, some weeks after his talk—in partnership with the FBI—at the University of Tulsa in Oklahoma, he flies over for his first trip to the UK.

Johnson—who over the course of the next 48 hours takes me through his former criminal mindset blending cybersecurity and money laundering (a topic that I’ve spent more than a decade researching)—exudes confidence but admits that being involved in cyber crime was the biggest mistake of his life.

Further Reading

He has nothing but good words for US Secret Service agents, but he did disappoint them when they let him out of prison on the understanding that he would work as an informant (he carried on committing fraud from within their premises).

Johnson praises the FBI as we walk along campus, and tears well up when he mentions the name of special agent K.M, who guided him in dropping cyber crime for good. His sister Denise and wife Michelle always come up when discussing how he turned his life around. They “saved my life,” he says, while recalling the hardships of his formative years when he felt pushed into skullduggery at the age of 10: the family fraud ring was led by his mother, who also convinced Johnson’s grandmother to join in.

“It was almost written in stone that I was going to end up in some sort of fraud,” he says.

His first marriage in 1994 was paid for courtesy of insurance fraud. Johnson staged a fake car accident to finance his wedding day. By the time he started using the Web, it was a natural progression to shift his fraudulent behavior online.

He started by scamming eBay buyers. Then he exploited a loophole when a Canadian judge ruled that satellite dishes can be “pirated” legally (in Canada, but not the US). Johnson reprogrammed the transmission cards for his Canadian customers and discovered he couldn’t fulfill the orders fast enough. Soon enough, he thought: “Why send them the product altogether? Who are they going to complain to?”

Clearly, Johnson made many, many mistakes. He’s the first to admit it and often points to himself as “this idiot” who broke the law, then broke it again, and took quite some time in prison (including eight months of solitary confinement) to come to terms with what he had done.

More than a decade later, he now channels his expertise in darknet intelligence gathering, blackhat auditing, penetration testing, and social engineering into his consultancy firm, Anglerphish Security. Johnson, who now advises Fortune 500 companies, seems confident that he has turned his back on crime. He tries, he says, to convince young cybercriminals—who contact him online—to quit their deceptive ways.

Schooled in the Dark (Web) arts

Cybercriminals are deluded when it comes to sidelining the consequences of their actions, Johnson explains. They repeatedly deny negative outcomes and, later on, accept they’ll carry on committing crime no matter what. Cybercriminals focus on the joy of their dark craft, harvest interconnected practicalities, and exploit subtleties that stretch way beyond the confines of a computer screen and escalate to geopolitics.

As a simple example, Johnson used to hijack IP addresses in Eastern Europe when committing identity fraud, as they were less likely to be reported to the US due to the deteriorating political relationships between the countries. Everything matters. Detail matters most. That’s why, he explains, in the context of “friendly fraud” (or refund fraud), miscreants do their homework.

“Really, criminals are the only people on the planet who read the Terms of Service on websites. No one else reads them,” he says. Criminals do it, he adds, to “get an idea of how that website operates.”

Time, he says, is also critical, and “if you wait out a victim long enough then they’ll go away exasperated”—a lesson he learned early from his first eBay scam. Online victims rarely report a crime to the cops. It’s a trend that frustrates cyber crime police units. Worse still, some companies decline to report cyber attacks and can—as was recently revealed with the latest Uber scandal—go to extreme lengths to conceal a system hack affecting customer data.

When it comes to cyber-enabled financial crime, Johnson says, hijacking identities remains central to the process. It was this knowledge that, in 2004, led him to take over Counterfeitlibrary.com: the site that attracted cybercriminals who wanted a fake identity.

One of the cornerstones of cyber crime is “networking between individuals to realize maximum success or potential for financial crime,” he explains. The vast majority of online fraudsters aren’t “professionals.” Instead, most fraudsters feed off each other: publishing manuals, guides, and notes while helping out in forums wherever possible. If one cybercriminal finds a loophole in a multinational’s system, then it’s all hands on deck. The £2.5m stolen from Tesco Bank in the UK last year started from a single forum post of someone claiming that they had taken out £1,000.

That’s exactly why monitoring what’s going on in the Dark Web is so important for companies. But it’s not just potential corporate victims who are being trained in this dark art. Top cybercriminals charge wannabe scammers hundreds of dollars for six-week online courses on how to commit fraud. They also protect each other; giving advice on how to maintain and secure their own anonymity online. Back in the day, Johnson did the same thing for free for ShadowCrew members. Now, everything is monetized.

Chasing shadows

Johnson ran the ShadowCrew network, where he sold fraudulent bank accounts and prepaid debit cards while collaborating extensively with others to combine phishing scams and the CVV1 hack. ShadowCrew moderator Albert Gonzalez was sentenced to 20 years for masterminding the online theft of 170 million card numbers. And it was that network that eventually landed Johnson behind bars.

Further Reading

But his crimes don’t end there: Johnson also established online tax fraud based on hijacked identities—a highly lucrative criminal activity. It became central to the illegal flow of money that he’d set up. He used the California Death Index and filed tax returns for the dead; surprisingly, it worked. He could file one tax return every six minutes but couldn’t open online bank accounts fast enough. Over the course of his cybercriminal activities, Johnson had opened “hundreds of accounts.” Some weeks, he claims, he was “pulling out US$160,000 in cash.”

Despite being an early architect of online crime, even Johnson is amazed by the scale of it today. ShadowCrew had 4,000 members, he says, whereas AlphaBay boasted 240,000 users before it was shut down by the FBI. But with what appears to be an ongoing, multi-state orchestrated distributed denial of service (DDoS) attack on major darknet forums, cybercriminals quickly flock elsewhere. Bitcoin, Johnson adds, is an almost perfect tool for cyber crime.

Banks, companies, and many different institutions routinely adopt anti-fraud tools to prevent their systems from being vulnerable to hacks and scams, but—at the same time—fraudsters embrace them, too. They test the tools to make sure that their activity avoids detection. They also purchase off-the-shelf software that blocks detection attempts altogether and scrambles behavioral detection efforts.

Another tool Johnson demonstrates allows anyone to buy hijacked IP addresses from a wide list of countries, including the UK, and costs around 30p per IP address. It also calculates, for a further 15p, a risk score for the fraudster of the probability of detection/blocking of that IP address by commercial anti-fraud and anti-spam software.

I find it difficult to get past the subtle irony of IP risk scores informing the decisions of cybercriminals. Then again, if they’re doing their own operational security, fraud-based “risk management” seems a natural next step in this evolving tango.

There’s so much to discuss with Johnson that our allotted two days go by very quickly. After his visit, we connect online and he suggests renaming my long lost Unix alias from carlito, which is a moniker now reserved by someone else, to carl1to—with the number “1” denoting the first Carlito in a nod to a 1990s mobster movie starring Al Pacino. Somehow, it feels like a fitting end to my time with the Original Internet Godfather.

It's not at all obvious from this article, but the original article linked at the top has a 2-hour (audio) interview. I haven't listed to it, but I'd bet it's longer/more informative than this, which seems more of an introduction than anything else.

Oh look, another man who leveraged his criminal notoriety to establish a successful cyber-security consulting business wants to tell us that crime doesn't pay.

It's just core ideals of selfishness and immediate gratification. What is a criminal or fraudster? One who's personal gain comes at the expense of those around them in a community. From there, what is a CI (informant)? One who is going to turn in those who once worked with them for their mutual, if criminal, enrichment, in order to lessen their penalties under the law.

The FBI and Secret Service agents are no better. They are willing to nearly eliminate what would be legally obtained sentences for one individual for a significantly greater ease and success in their jobs. These aren't lofty and to be highly regarded law enforcement officials working for the people. They're frequently little better or worse than the pitiful average and unwashed masses pretending to have some honorable career in law enforcement. They and associated US Attorneys make the same deals with pedophiles and human traffickers given the opportunity to put enough Ws on the board.

These stories are only appealing because they are areas where the crime isn't necessarily too close for home or abhorrent morally -- like the movie Catch Me If You Can -- it's sounds like a cute cat and mouse scenario which never hurt you personally.

Similarly, I enjoyed Mindhunters, but none of the investigative or psychological constructs were new. Popular culture of the referenced period merely had conveniently forgotten the ideas and backgrounds despite hundreds of years of literature pointing at such moral aberrations and increased need for thrill and obsession in societies all too able to feed every member.

As for the article itself, yeah, just introductory fluff, almost assuredly part of some cross-promotion agreement for both sites to generate those all so important clicks. What then does it make the journalist who edifies a confessed and guilty criminal for click?

Oh look, another man who leveraged his criminal notoriety to establish a successful cyber-security consulting business wants to tell us that crime doesn't pay.

It's just core ideals of selfishness and immediate gratification. What is a criminal or fraudster? One who's personal gain comes at the expense of those around them in a community. From there, what is a CI (informant)? One who is going to turn in those who once worked with them for their mutual, if criminal, enrichment, in order to lessen their penalties under the law.

The FBI and Secret Service agents are no better. They are willing to nearly eliminate what would be legally obtained sentences for one individual for a significantly greater ease and success in their jobs. These aren't lofty and to be highly regarded law enforcement officials working for the people. They're frequently little better or worse than the pitiful average and unwashed masses pretending to have some honorable career in law enforcement. They and associated US Attorneys make the same deals with pedophiles and human traffickers given the opportunity to put enough Ws on the board.

These stories are only appealing because they are areas where the crime isn't necessarily too close for home or abhorrent morally -- like the movie Catch Me If You Can -- it's sounds like a cute cat and mouse scenario which never hurt you personally.

Similarly, I enjoyed Mindhunters, but none of the investigative or psychological constructs were new. Popular culture of the referenced period merely had conveniently forgotten the ideas and backgrounds despite hundreds of years of literature pointing at such moral aberrations and increased need for thrill and obsession in societies all too able to feed every member.

As for the article itself, yeah, just introductory fluff, almost assuredly part of some cross-promotion agreement for both sites to generate those all so important clicks. What then does it make the journalist who edifies a confessed and guilty criminal for click?

Cyborgu's comment still stnads though. Brett Johnson got a slap on the wrist and a consulting gig that turned into funds to start a company that tries to prevent exactly what he did for decades ? WTF ?? He got barely a slap on the wrist and a wad of cash for his years of criminal endeavors at tax payer expense no less.

This asshole should be in prison.

I don't understand why this country likes to sensationalize criminals -- Brett Johnson various rappers that used to be big time drug dealers and gansters -- television shows about the families of dead crime bosses that are living off the money they extored (John Gotti) and on and on ....

Why the F is any of this sh*t a good thing ? Fine use Johnson as a consultant -- even make that his probation. But throw his f*cking a** in prison for 10 years minimum -- no parole then mandate that he assists law enforcement on his own dime and pays retibution to the tax payers that he f*cked over for years.

A decent group of people I know recently got laid off from their jobs en masse and are busting their asses to find work to pay the bills and this criminal gets government contracts paid off the taxes that my friends are required to pay out.

Oh look, another man who leveraged his criminal notoriety to establish a successful cyber-security consulting business wants to tell us that crime doesn't pay.

It's just core ideals of selfishness and immediate gratification. What is a criminal or fraudster? One who's personal gain comes at the expense of those around them in a community. From there, what is a CI (informant)? One who is going to turn in those who once worked with them for their mutual, if criminal, enrichment, in order to lessen their penalties under the law.

The FBI and Secret Service agents are no better. They are willing to nearly eliminate what would be legally obtained sentences for one individual for a significantly greater ease and success in their jobs. These aren't lofty and to be highly regarded law enforcement officials working for the people. They're frequently little better or worse than the pitiful average and unwashed masses pretending to have some honorable career in law enforcement. They and associated US Attorneys make the same deals with pedophiles and human traffickers given the opportunity to put enough Ws on the board.

These stories are only appealing because they are areas where the crime isn't necessarily too close for home or abhorrent morally -- like the movie Catch Me If You Can -- it's sounds like a cute cat and mouse scenario which never hurt you personally.

Similarly, I enjoyed Mindhunters, but none of the investigative or psychological constructs were new. Popular culture of the referenced period merely had conveniently forgotten the ideas and backgrounds despite hundreds of years of literature pointing at such moral aberrations and increased need for thrill and obsession in societies all too able to feed every member.

As for the article itself, yeah, just introductory fluff, almost assuredly part of some cross-promotion agreement for both sites to generate those all so important clicks. What then does it make the journalist who edifies a confessed and guilty criminal for click?

Cyborgu's comment still stnads though. Brett Johnson got a slap on the wrist and a consulting gig that turned into funds to start a company that tries to prevent exactly what he did for decades ? WTF ?? He got barely a slap on the wrist and a wad of cash for his years of criminal endeavors at tax payer expense no less.

This asshole should be in prison.

I don't understand why this country likes to sensationalize criminals -- Brett Johnson various rappers that used to be big time drug dealers and gansters -- television shows about the families of dead crime bosses that are living off the money they extored (John Gotti) and on and on ....

Why the F is any of this sh*t a good thing ? Fine use Johnson as a consultant -- even make that his probation. But throw his f*cking a** in prison for 10 years minimum -- no parole then mandate that he assists law enforcement on his own dime and pays retibution to the tax payers that he f*cked over for years.

A decent group of people I know recently got laid off from their jobs en masse and are busting their asses to find work to pay the bills and this criminal gets government contracts paid off the taxes that my friends are required to pay out.

Kind of kills the whole "crime doesn't pay" mantra doesn't it.

Definitely, my statements where in support, explanation, and expansion of the original idea from Cyborgu.

My argument goes in the direction that we have a massive crisis in public service where a huge portion of the public servants have transitioned from demographics wanting to serve their community to a culture of false altruism and the best retirement packages the rest of the taxpayers can buy and only dream of. It's a long term wealth strategy instead of being an integral and benevolent part of a greater society.

Public servants chose to hand Johnson a good life in exchange for making their jobs easier and less work. A criminal doesn't get to leverage these kinds of deals without a HUGE list of prosecutors, their office staff, law enforcement, and jurists supporting the move. It's one of those, what kind of people can live with themselves moment to let guys like this off.

It doesn't help then that the 4th estate rarely focuses on what shitbags these people are (are and not were -- each day of freedom comes on the backs of co-conspirators in prison) or the questionable morals and ethics of the enablers (justice / law enforcement) after the fact. It's just a cheap anti-hero story to spin, instead of the harsh reality that this is a person who hurt other people for their own gain.

Hell this author helps build a false narrative where Johnson was some poor soul destined for fraud and just "this idiot" using the magically non-judgmental phrasing of "who broke the law". How offensive to Johnson's victims is such language? And people wonder why it is so easy to distrust the press...

Oh look, another man who leveraged his criminal notoriety to establish a successful cyber-security consulting business wants to tell us that crime doesn't pay.

Well, he did spend a lot of time in prison (8 months in solitary).

It's easier to just spend that time learning the same skills but not committing actual felonies. Even now I wouldn't be surprised if he can really only work for himself, imagine the sales pitch to the CFO to put this guy on your cybersecurity team. On the one hand, it makes sense, but on the other, if he steals all your shit you look like the dumbest person who ever existed. You also would have to convince shareholders and clients that he is "trustworthy" now too.

Oh look, another man who leveraged his criminal notoriety to establish a successful cyber-security consulting business wants to tell us that crime doesn't pay.

Well, he did spend a lot of time in prison (8 months in solitary).

It's easier to just spend that time learning the same skills but not committing actual felonies. Even now I wouldn't be surprised if he can really only work for himself, imagine the sales pitch to the CFO to put this guy on your cybersecurity team. On the one hand, it makes sense, but on the other, if he steals all your shit you look like the dumbest person who ever existed. You also would have to convince shareholders and clients that he is "trustworthy" now too.

You're missing the part where he is endorsed by the federal government as a "trustworthy" CI and that is why he is out so early. That's Kevin Mitnick or Steve Wozniak grade street cred in security.

Also, he gets to play the "I'm on parole, I don't want to go back to prison, you should trust me." card everywhere he goes. If he's a really good showman, it goes a step further in the conference room, "This is special agent K. Y. Jelly, he's my attache from the FBI. He shadows my work everywhere I go to report back to Quantico because of the important things we're doing at Double Penetration Security."

Cybersecurity is a bit of a bullshit smoke and mirrors field still. Companies are paying lawyer rates (>$400/hr) for audits and reports because C-levels and MBAs don't understand technology or security. Sure there are legitimate infosec consulting companies, but like the government, they fail to self police and excise the charlatans because either a) they are too confused to see it's a charlatan or b) they need to protect "the industry". Further, I've worked with enough infosec types who think talent and brilliance in the field is this ineffable quality owned by too few to oust the former black hats. The word "legend" gets thrown around a lot and reputation for ability trumps reliability and ethics every time.

Wasn't the original Dark Web just webpages and forums that weren't indexed by web searchers?

Heck even in 2002 you still had to manually summit your webpages to places like Yahoo and Altavista.

Hence those places were in the dark because even the hours long searchs that took to find stuff online back then using Altavista and Yahoo didn't find them listed even if they actually had a web address.

Wasn't the original Dark Web just webpages and forums that weren't indexed by web searchers?

Heck even in 2002 you still had to manually summit your webpages to places like Yahoo and Altavista.

Hence those places were in the dark because even the hours long searchs that took to find stuff online back then using Altavista and Yahoo didn't find them listed even if they actually had a web address.

Not only that, just because you submitted websites to them didn't mean they would actually index them.

hmm, a precursor to ANOTHER hollywood/etc release that MANAGES to profit from the notoriety of yet ANOTHER 'recovering' criminal?

wheee, tales of tears, sex, money, government agents..... all the makings of 'amusement' for the masses!

'mericans seem to thrive on these down to earth gossipy heaps of corruption, deception and 'ethical rebirth'. buttttt, that's really not saying much, since these types of two leggs are scattered globally, entrenched in every society, every neighborhood and around every corner, big scam or small, or personal breaches of trust.

all the while, CEO's and other high end criminals find even more clever ways to siphon away the earnings of those who actually produce goods, sweat for their very existence and live with more than a bond of words or a writ of contract.

not much has changed......despite the claims of civilization, technology and erudite arrogance